Sunday, 1 July 2012

Monitor or intercept

The latest snooping proposals from the government have a lot of issues, moral, legal, technical, security, and many more. But there have to be some "lines" that have to be drawn somewhere and they need to understand them. One such line is between monitor and intercept. There are many other lines, and some are hard to draw (like difference between envelope and content), but that is something for another day.

Monitoring means "listening in", in effect. It means the communications continues as normal, the same as if you are not monitoring, but you as the person doing the monitoring get to see a copy of some or all of what is being communicated.

Intercepting means you actually take the communications, and do things with it before sending it on. You may change where it goes, block some of it, change some of it. It is much more serious in lots of different ways than monitoring.

The problem is that the government want to be able to track who is talking to who, i.e. the communications data. I am sure they would love to see what everyone is saying as well, but they know that really is going too far to get re-elected. To be honest, what they seem to be proposing now is going to far for my view.

However, there are plenty of means of communication that are not handled by someone in the UK. Facebook and twitter and games and all sorts can mean that they would have to convince a non-UK company to provide monitoring of that communications data. They don't like this, for obvious reasons.

So they want to snoop on the communications as it passes through UK ISPs. Essentially monitoring everything, so it seems.

There is another problem - some of these non-UK companies are using encryption - i.e. https (secure web page access) like your bank uses. This means that they cannot see what is being communicated simply by monitoring in the middle. The whole idea of encryption is to stop such things.

They claim to have a way around that! Why the hell to they think they can monitor encrypted traffic? Well the answer, we think, is that they have had vendors of black boxes show them it can be done. And, in a controlled corporate environment there are ways. One way is taht you mess with the settings on everyone's computer so that you can do what is called a "man in the middle" (MITM) attack without the computers being aware of it (installing a new CA). In effect you pretend to be facebook or twitter (or your bank) when talking to your computer, and you make it believe you. Then you pretend to be you when talking to facebook, twitter, etc, and pass on the content of the encrypted communications after looking at it and taking a copy. In theory this can be done if you are in bed with the certificate authorities and get a dodgy CA. And CA found doing this would go out of business quickly though.

For me, this moves very clearly from monitoring to interception. Now you are actually messing with the communications. This is very very bad for a lot of reasons.

It is just wrong - if you are monitoring, then that is all you should be doing

It undermines the whole principle of secure communications and can allow real MITM attacks behind the government system

It allows you to snoop on the bank, and anything else you want

It is detectable by anyone that is looking, and more and more people will look

It will break lots of things

I creates some really nice targets for any criminals and hackers to go after

It is technically a nightmare, including scaling issues and single points of failure

This last point is very important. For an ISP, monitoring communications can, in principle, be done by setting up a monitoring port on one or more switches. These are a port to which the switch tries to send a copy of every packet. Technically, this is simple, though picking where to put this in the network is harder. Also, it is low risk. If the black box breaks, the network does not. If there is too much data, the black box does not see 100% of it, but it sees some, and again, nothing actually breaks.

But, if you want to intercept traffic, that is a lot harder. It means that you send everything in to and back out of a black box. It means ensuring all of the communications goes via this one point, and does not have packets spread over several redundant links. It means your whole network relies on the black box working and having enough capacity to cope with the load. It also means some stupidly expensive black boxes. Looking on-line there are some expensive boxes that handle 100Mb/s of traffic and some really expensive ones that handle 1Gb/s of traffic. Even A&A's tiny network is going over 1Gb/s now. They need many orders of magnitude more in order to work with any of the larger UK ISPs. It is basically impossible but trying will break lots of stuff.

It won't actually help. There will be ways to communicate securely and without monitoring the communications traffic. There are well established systems in place for this designed to allow people working under oppressive regimes to communicate with the outside would - where being found out could get them shot. Such systems will always exist, and there is no reason to think that they will not be used.

One interesting discussion on the mailing list is what if a web site wants to be check they are not intercepted. It is possible a plugin or some websocket javascript or some such on a standard browser, right now, could check the certificate data on an SSL link. If that is the case, any web site could simple include a simple app to report to the user that they are being intercepted. The likes of facebook or twitter could make it so you cannot use them from an intercepted connection. This is even more possible, and perhaps likely, for games where the client is the game itself. Well, what would a hacker do to bypass this? they would change that javascript or app on the fly, so that it does not report the issue. Would this be going to far for our government? I bloody well hope so. If this is allowed, then what of a page that has on in it text giving instructions to tell the end user how to check the certificate (as we do on the A&A accounts web page)? Are they allowed to change the text on the site to remove such instructions? What else would they be allowed to remove, AKA censor?

At the end of the day, we have to consider very carefully how much freedom and privacy we want to give up. Remember, bee stings have killed as many people in the UK as terrorists so far this millennium. Think of the bees!

Update: ISPreview say "At present ISPs are already required, if requested, to maintain a very
basic log of their customers’ internet website and email accesses
(times, dates and IP
addresses) for a year, which is made available to various government
and security services via a warrant. This does NOT include the actual
content of your communication." which is not quite true. We only log email that goes via our mail servers and web pages accessed
on our web servers. We have not been asked to keep these logs for a
year. We do not have to snoop on customers to see what web pages they
access or what emails or tweets or pokes they do. This new law would
require that.

It is actually possible to have a an off-line (not in-line) black box that intercepts and interferes. I know this because I used to work for a company that was using such technology (all be it on HTTP only traffic (not encrypted)). It can be done, and is real. It's very clever, because it can interfere (intercept) the network traffic but, if it breaks, causes no impact to the end user. It was working at the TCP/IP layer, and interfering with that layer of the stack (not actually modifying HTTP data to/from the client/server) but still, achieved enough to be deemed as interception and interference (IMO).

And it's possible to process several hundred Gigabits of customer data per second (tapped from all ISP edge routers/ports) and have it analysed as required. The only limit is how many servers and how much CPU power they will use, and what the electricity bill will be to power the platform. The kit involved is not standard off the shelf stuff; it requires exceptional knowledge to configure it and to wire/code it up the right way to make it work.

I agree, for encrypted traffic, monitoring and interception is mostly a complete waste of time. So it seems that if we want privacy with all this snooping legislation potentially being pushed through government, it's time to start converting many protocols to use encryption.

Well, depends what the law is and what ways around it are, but I am not planning to go to prison :-) If we get stuck with any of this crap, there are ways to make a business out of it including selling off shore VPN services, and equipment, and so on.

I work for a technology company whos product can be installed in your corporate network for SSL interception and policy evaluation (a black box). Interception for HTTPS works a treat, but just dont try and put any non HTTP protocol through it - it breaks communication competley.

Even if the Government had access to some kind of Subordinate/Root CA for re-signing intercepted HTTPS pages (which I have a suspicion of) AND they could get that CA published to all of the browsers in the UK, this wont work for non-HTTPs protocols. For example, Skype does not use standard SSL for communication. As RevK pointed out in another post, attempting to perform interception 'breaks stuff'

My assumption would be that the Govt. would need to develop a product that can understand and intercept/decrypt non-standard protocols (wether on-the-fly, or offline) eg, Skype, Mumble, TeamSpeak, World-of-Warcraft, Team-Fortress, Warcraft, Unreal, L4D, Half-life..the list is endless...

In realitly, the best they are going to be able to achieve is logging the time/date/location of a client-PC and the IP/port it was connecting to (with exception of plain-text protocols such as HTTP of course).

I dont imagine they will ever be able to log the time/date of a specific chat message being sent for the encrypted/more complicated non-standard protocols.

I work for a technology company whos product can be installed in your corporate network for SSL interception and policy evaluation (a black box). Interception for HTTPS works a treat, but just dont try and put any non HTTP protocol through it - it breaks communication competley.

Even if the Government had access to some kind of Subordinate/Root CA for re-signing intercepted HTTPS pages (which I have a suspicion of) AND they could get that CA published to all of the browsers in the UK, this wont work for non-HTTPs protocols. For example, Skype does not use standard SSL for communication. As RevK points out, attempting to perform interception 'breaks stuff'

My assumption would be that the Govt. would need to develop a product that can understand and intercept/decrypt non-standard protocols (wether on-the-fly, or offline) eg, Skype, Mumble, TeamSpeak, World-of-Warcraft, Team-Fortress, Warcraft, Unreal, L4D, Half-life..the list is endless...

In realitly, the best they are going to be able to achieve is logging the time/date/location of a client-PC and the IP/port it was connecting to (with exception of plain-text protocols such as HTTP of course).

I dont imagine they will ever be able to log the time/date of a specific chat message being sent for the encrypted/more complicated non-standard protocols.

Its also worth mentioning, technically speaking you wouldnt need to get the new 'interception CA' onto all the UK browsers if you can get a Intermediate SubCa signed by a root-ca (eg Verisign, entrust..etc..)

Provided the browser trusts the root-ca, it doesn't generally care about checking the intermediate-CA (which would be the one being used for interception)